CDR: ZKS -- the path to world domination

[Adam Back]

For some reason I didn't see Greg's message earlier and only recently
saw Declan's forwarded snippets on politech (I'm not currently
subscribed to politech).  The closing remark at the bottom of Declan's
post (from Declan) was "Neither Austin nor anyone at Zero Knowledge
replied to the above message."  My personal reason for not responding
was I didn't see the message.  Austin travels an awful lot, so I
wouldn't take a lack of an immediate response as acquiescence or an
unwillingness to respond.

The following is as always my personal opinion.

I'm going to skip over the reporting and speculation about sales
figures discussion and the little skirmish over that.

> > Declan fails to mention that Freedom was never targeted toward
> > Cypherpunks; our goal was to incorporate Cypherpunk-level
> > cryptography and philosophies into a privacy tool that would empower
> > the average Internet user to manage their privacy
> > online. Cypherpunks can build privacy tools for themselves; our
> > target market for Freedom is consumers who are concerned with their
> > privacy.
> 
> Sure - cypherpunks are a very small market, so it would be very
> difficult for even a small business to survive on cypherpunk sales
> alone.
> 
> However, that doesn't mean that cypherpunk purchases and evaluations
> are unimportant, or can be dismissed.

Cypherpunk opinions matter as cypherpunks are privacy and
crypto-anarchy related crypto technology critics -- the analog of film
critics in this domain -- the punters listen to them, reporters listen
to them.  And in Declan's case some reporters are able technology
critics themselves.

Another reason would be that freedom is a popularisation and
development of cypherpunk developed technologies and ideas such as
cypherpunk type I and type II remailers, alpha nymservers, PipeNet,
traffic shaping etc.  So it is entirely expected that the opinons of
the people who developed and thought about these original
technologies, and had ideas about how one might progress with them are
important.  Indeed a number of cypherpunks who were involved in some
of these implementations and discussions are currently working at ZKS.

Cypherpunks also has a pretty high clue factor on privacy and
anonymity technology so you'd want to listen to what is said and worry
if they were saying things which couldn't be answered.

> [Greg writes about the role of early adopters, etc. all good stuff]
> 
> What your analysis seems to miss is the role that's played by the
> innovators and the early adopters in bringing a product or a
> technology to a maturity level where it's acceptable to the much
> larger middle market.

I understand that, and offer the additional comments above.

There hasn't been as much comment (apart from Wei's comments, and some
offlist comments from Lucky) as one might expect about technology
choices and protocol design despite the open white papers.  I'm hoping
the new clearer, more detailed white papers coming with 2.0 will help
stimulate such discussion.

> Comments on the cypherpunks list and at physical meetings seems to
> suggest that Freedom is not enjoying a good adoption rate within
> what's likely a big part of that adoption curve. I've only seen a
> few users of ZKS nyms on public mailing lists, which ought to be a
> popular use for them; a web search with Google and HotBot doesn't
> reveal any use of @freedom.net email addresses showing up in mailing
> list archives.

Let me clarify a few things about this extrapolation.

- freedom 1.x mail system used reply blocks.  There were a number of
problems with this reliability, usability and performance wise.  Some
of these were inherent to reply blocks (bit rot, and server churn
causes reply blocks to die), some of it implementation related (retry
semantics for mail forwarding), some of it to do with relying on third
parties for long term operational reliability (which reply blocks do
for you).

- freedom 1.x allows you to post to news but not to read news
anonymously (you have to use dejanews or some other news browser).  So
(You could read news non-anonymously by just using your ISP NNTP
server, but clearly there are problems -- an attacker could mark
messages you read and correlate you to your nyms that way.)

These two things mean that there are more people using freedom 1.x
browsing than freedom 1.x mail.  So you aren't going to see an
accurate portrayal of user base from email alone.

- freedom 2.x has an all new mail system, the workings of which will
be described in fair detail in a white paper which will be released
RSN.  Those playing with the beta will have observed this mail system
in action.  This new mail system is much easier to use, much more
reliable, and much faster.  I'd also argue that the 2.x mail system is
more secure as it doesn't use reply blocks which are inherently
vulnerable to subpoena attack.  But then I designed it, so I'll let
others critique it.  (There is forward secrecy at all stages in the
movement of mail in the new system, with maximum of 1/2 hour key
cycling.)

- freedom 2.x is also much more configurable so you can route other
protocols over the cloud, or existing protocols over other ports.

> If you can point to concrete numbers showing adoption rates, I'm 
> sure that many people would be interested - but telling us
> that you (as a founder of the company) are happy with your sales
> doesn't do much to tell the rest of us about what's happening
> inside ZKS. My impression - from my own experience, 

Some negative experience with it's workings?  Could you elaborate?

> from the lack of apparent adoption by others, 

I offer the above explanation for the large imbalance between web and
email users in 1.x.  It's really quite severe.

My gut feel is that email would be a popular app for pseudonymity.
Opinions solicited of course, but I personally was usually more
interested in pseudonymous or anonymous mail.  It does actually matter
if you use the web to look up things you're writing about and you're
trying to be strongly anonymous, but typically I haven't been that
paranoid.

Anyway we'll see if there is a big pick up in mail usage with freedom
2.0, which will be the proof of whether or not the freedom user base
likes mail.

Web is probably perceived still as "relatively anonymous" for many
uses despite the realities of profiling and a fair degree of logging
of IPs, logins, and caller-ID by ISPs which can relatively easily be
correlated with phone records.

The integration mechanism with the mail system (and web, IRC, telnet,
ssh etc) works as a transparent local proxy is pretty painless, and
works automatically with pretty much any mailer with no user
configuration of the mailer.  Much smoother integration than even
emacs mail-crypt's nym support.  (I haven't looked at windows stuff
that much, but I'm pretty sure it's nicer than private idaho etc as
you get to use your existing mailer).  The linux client is nicer than
premail for pseudonymity too.

> and from ZKS' reframing of its business from stronger protection to
> weaker protection to the new "privacy consulting" stuff is that ZKS
> is searching for its niche in the marketplace, and hasn't found it
> yet.

This isn't a re-framing, it's phase II, and it's been planned since
day one.  Austin has been talking about being a privacy broker between
users and companies for years, it was part of the grand plan for
"total world domination" since the early days.  Probably some have
heard him speak about it at conferences over the last couple of years.

In this model you're trying to build a privacy architecture in which
users can conduct business privately.  So clearly involving businesses
is a good idea to enrich what you can do.  You're just starting to see
that with phase II.

The press release was kind of sloppy because it had lots of "all new"
claims about Managed Privacy Services (as well as the reference to
"split keys", which was actually trying to talk about reply blocks).
Reading it one would tend to come away with a very disjointed view.

But as I said actually MPS is only "new" in the sense that phase II of
the privacy architecture plan has been gearing up for a while now.
But it's all part of the big privacy architecture picture that ZKS is
trying to build.  So this means for example people using freedom to
conduct business pseudonymously and so on.

> There's nothing wrong with that - look at AT&T, or the other
> long distance carriers moving away from consumer services, or
> the AOL/Time merger - but denying things which are readily 
> apparent doesn't inspire confidence.

While the press release leaves one with a disjointed impression, it's
misleading.  Neither the "Zero Knowledge, after poor software sales,
tries new gambit" summary and title Declan came away with after
reading that press release, nor the extrapolation of users from the
observed mail usage are accurate pictures as I explain above.  They
are probably reasonable conclusions to draw from the available
information, but the available information was misleading and
incomplete respectively.

Austin quoted by Greg:
> > In fact, upon review we found that since the costs of doing the bare
> > minimum padding (full link padding from the client node to the first
> > server node) could not be supported by what we felt users were
> > willing to pay for privacy, we reviewed our threat model and lowered
> > the bar on the what we were trying to accomplish.

That's not the way I would express the effect of the changes in the
protocol, though it is an accurate description of understanding about
traffic analysis at the time the decision was made.

More recent understanding, as we examined how to strengthen the threat
model is that the existing attacks are not all prevented by the
original high bandwidth overhead link padding scheme.  In fact it
would appear that the padding does not even offer much in the way of
additional protection because a powerful attacker can with similar
resources to without the padding still engage in active attacks and
timing attacks to achieve similar result.

Greg writes:
> > Based on this, we believe we are the strongest privacy solution on the
> > market. (In fact most other privacy companies claim that we are 'killing a
> > fly with a bazooka' by going overboard with strong crypto and multi-hop
> > routing).
> 
> I think everyone agrees that ZKS has built the strongest commercially
> available client-side privacy system.
> 
> Again, that's not the interesting question. The interesting question is
> "Is it strong enough?" 

It's as strong as we could make it.  Private interactive
communications are a hard problem.  As Wei and I were discussing in
the "PipeNet protocol" thread in the last couple of weeks, there are 4
main properties you're trying to optimise over:

1. security (resistance to traffic analysis)
2. performance
3. bandwidth efficiency (cost)
4. DoS resistance

It appears pretty hard to get more than one of these properties with
theoretical optimality.  PipeNet gets the first one with good
theoretical security, but none of the others are good.  Freedom makes
an engineering tradeoff which does reasonably on all 4.

If anyone has anything to suggest about how freedom protocols could be
improved in any of these criteria, or how one could build a hybrid
based on PipeNet, freedom or dc-nets, or other new ideas, I'm always
interested to discuss.

Lucky had some comments in email about padding, however as I discussed
with him the padding costs bandwidth without defending against similar
cost attacks.  The other similar cost attacks do not appear to be
possible to defend against without using PipeNet or DC-net properties.

I'd invite Lucky to resume this discussion publicly as he is quoted by
Declan stating ZKS didn't make freedom as strong as we could have:

Lucky wrote:
| Freedom (TM) as shipping does not adequately protect the users'
| privacy. [...]

Continuing, Wei's PipeNet has some pretty nice security properties,
but it's hard to deal with the performance and DoS resistance issue.
PipeNet effectively deals with the traffic analysis problem by
shutting down the entire network immediately if any active traffic
analysis attempts are made.  It doesn't appear to be possible to
distinguish between active traffic analysis attempts and network
congestion or modem drops, so it also would suffer from poor
performance and unreliability.

DC-nets are nice too but bandwidth cost is probably prohibitively
high and DoS (disrupters) are a problem there too.

We're working on the traffic analysis problem trying to optimise this
problem.

> I think everyone agrees that ZKS has built the strongest commercially
> available client-side privacy system.
> 
> Again, that's not the interesting question. The interesting question is
> "Is it strong enough?" 
> 
> Everyone who's looked at the question - from your accounts, inside ZKS,
> and outside people - seems to agree that nobody knows, or if they know
> they're not telling. 

I hope the above can start some discussion of strength against traffic
analysis.

> > Lucky, by claiming that we are misleading our users or not protecting their
> > privacy because of the lack of resistance to traffic analysis is
> > irresponsible and is allowing the best to be the enemy of the good.*
> 
> This may be true - but your message was the first one that I've seen which
> describes clearly the changes made in Freedom's design and implementation
> between v1 and v2, and I'm a customer. 

Note v2 has not shipped yet except in beta form.  The white papers are
being updated to ship before or with v2, including the new mail system
white paper.

> (Not an active one, due to configuration issues, but you've got some
> of my $, and didn't bother to tell me that the traffic-analysis
> resistance I thought I paid for has been eliminated because it
> turned out to be difficult.)
> 
> While I greatly appreciate your candor - and am confident that your
> analysis of the economics of the bandwidth required to foil traffic
> analysis was correct - I do think there's perhaps some room for 
> improvement re keeping people up-to-date on what sort of protection
> they can expect from Freedom and ZKS.

I think we can more robustly defend the freedom protocol than that.
It's pretty close to the best you can do practically with current
state of the art and knowledge about defending against traffic
analysis.  That's a fairly aggressive statement with a practical
deployed system due to all the issues that come up with engineering
tradeoffs and complexities of actually developing such a complex
system.

So as I say it's not because we've decided not to bother, it's because
when you actually look at the engineering issues, and the traffic
analysis attacks, it's harder than one might predict to start with.

Now I think this is a concern for everyone because with strong crypto,
mathematics is on our side, and we can effectively laugh at USG's
earlier attempts to put the genie back into the bottle.  They lost
that one.

But anonymity systems, particularly interactive ones, don't appear to
offer near as steep an advantage to the defender vs the attacker.

So I'd encourage people to think about the above described problems,
because in my view it is a problem that matters for crypto-anarchy. 

> If you are ever in the mood to update the Freedom FAQ, I suggest that
> the following questions would be helpful ones to answer -

The section of the FAQ that covers the questions you're asking is:

http://www.freedom.net/faq/index.html?r=6#11

The short answer is no, no, and very.  But with the caveat that this
is a relatively complex system, and despite our best efforts at
auditing code, and protocols, publishing protcols for peer review,
hiring third party auditors (counterpane) there may be bugs.  This is
to my mind the most important aspect of open source -- so people can
review what it does, and compare that to what the white papers say
it's intended to do.  I'd encourage people to help review the code in
the same way that PGP was scrutinised.  Also note the known issues
with the protocols and with the current implementation are in the
security issues white paper.  This is being updated for 2.0.

> Q:	If I post a message critical of a big company using a Yahoo
> forum, and the Yahoo registration data points back to my Freedom
> account (email and source IP), will the big company be able to get
> my personal information from you with a subpoena?
> 
> Q:	If I post a message to a mailing list which has some 
> source code that a big company thinks violates the DMCA, and the
> big company calls the FBI, will the FBI be able to get my
> personal information from you with a subpoena? 
> 
> Q:	What happens if I make someone really, really angry and
> they come to your offices and point guns at your employees ..
> will they be able to get my personal information from you? Assume
> they shoot a few people to show they're serious. Then will
> you find a way to give them my personal information? What if they
> take your computer equipment away from you (or one of your
> participating ISP's) at gunpoint, and take it back to their
> hideout for analysis. How difficult will it be for them to
> get my personal information? 

I'd just like to make these two comment commitments which I'll reveal
later when certain projects are announced to demonstrate that they
were planned for some time.

b26ecfce97bc6c090585a254a297ba5143280cce commit
a47d3b46da014002b34d02c3a0524a3209c3c6ae commit2

(They have big random nonces in them, so don't even think about
guessing).

Adam